Malware Analysis Report

2025-08-10 19:20

Sample ID 220616-lqgvvagaf2
Target abfb51c632365023e1367b1252d5cc23
SHA256 db7dbe105a8dc66001471482676ff758da4022321a2371a28b638aafe60c0163
Tags
formbook xloader uugs loader persistence rat spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db7dbe105a8dc66001471482676ff758da4022321a2371a28b638aafe60c0163

Threat Level: Known bad

The file abfb51c632365023e1367b1252d5cc23 was found to be: Known bad.

Malicious Activity Summary

formbook xloader uugs loader persistence rat spyware stealer suricata trojan

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook

Xloader

Xloader Payload

Adds policy Run key to start application

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Drops file in Program Files directory

Modifies Internet Explorer settings

Gathers network information

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-16 09:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-16 09:44

Reported

2022-06-16 09:50

Platform

win7-20220414-en

Max time kernel

152s

Max time network

163s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\NETSTAT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YJSDLR18N = "C:\\Program Files (x86)\\Kdbwtpt\\gdiypx0.exe" C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 108 set thread context of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1144 set thread context of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Explorer.EXE
PID 964 set thread context of 1228 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Kdbwtpt\gdiypx0.exe C:\Windows\SysWOW64\NETSTAT.EXE N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 108 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 108 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 108 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 108 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 108 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 108 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 108 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1228 wrote to memory of 964 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 1228 wrote to memory of 964 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 1228 wrote to memory of 964 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 1228 wrote to memory of 964 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 964 wrote to memory of 1984 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 1984 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 1984 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 1984 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 816 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 964 wrote to memory of 816 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 964 wrote to memory of 816 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 964 wrote to memory of 816 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 964 wrote to memory of 816 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\NETSTAT.EXE

"C:\Windows\SysWOW64\NETSTAT.EXE"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kekenapeps.com udp
US 69.57.161.210:80 www.kekenapeps.com tcp
US 8.8.8.8:53 www.earntrading24.com udp
US 199.188.200.173:80 www.earntrading24.com tcp
US 199.188.200.173:80 www.earntrading24.com tcp
US 8.8.8.8:53 www.rodfernandesmarketing.com udp
US 45.152.44.238:80 www.rodfernandesmarketing.com tcp
US 45.152.44.238:80 www.rodfernandesmarketing.com tcp
US 8.8.8.8:53 www.masjidmuqarrabin.com udp
US 8.8.8.8:53 www.masjidmuqarrabin.com udp
US 8.8.8.8:53 www.thenftofficial.com udp
DE 217.160.0.161:80 www.thenftofficial.com tcp
DE 217.160.0.161:80 www.thenftofficial.com tcp
US 8.8.8.8:53 www.theswanmarketing.com udp
US 8.8.8.8:53 www.monicaconsulting.com udp
US 52.71.57.184:80 www.monicaconsulting.com tcp
US 52.71.57.184:80 www.monicaconsulting.com tcp
US 8.8.8.8:53 www.thedentalmethoddallas.com udp
US 8.8.8.8:53 www.tangkichco.com udp
US 38.26.245.41:80 www.tangkichco.com tcp
US 38.26.245.41:80 www.tangkichco.com tcp
US 8.8.8.8:53 www.outlookrepairhelp.com udp
HK 45.153.129.57:80 www.outlookrepairhelp.com tcp
HK 45.153.129.57:80 www.outlookrepairhelp.com tcp
US 8.8.8.8:53 www.aemsmc.com udp

Files

memory/108-54-0x0000000000F30000-0x0000000000F6C000-memory.dmp

memory/108-55-0x00000000003D0000-0x0000000000406000-memory.dmp

memory/1144-56-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1144-57-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1144-59-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1144-60-0x000000000041F370-mapping.dmp

memory/1144-62-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1144-63-0x00000000008F0000-0x0000000000BF3000-memory.dmp

memory/1144-64-0x0000000000200000-0x0000000000211000-memory.dmp

memory/1228-65-0x0000000004270000-0x000000000432B000-memory.dmp

memory/964-66-0x0000000000000000-mapping.dmp

memory/1984-67-0x0000000000000000-mapping.dmp

memory/964-68-0x0000000000F50000-0x0000000000F59000-memory.dmp

memory/964-69-0x00000000000C0000-0x00000000000EB000-memory.dmp

memory/964-70-0x0000000000C40000-0x0000000000F43000-memory.dmp

memory/964-71-0x0000000000AB0000-0x0000000000B40000-memory.dmp

memory/1228-72-0x0000000005C30000-0x0000000005CEA000-memory.dmp

memory/1228-73-0x0000000004270000-0x000000000432B000-memory.dmp

memory/964-74-0x0000000075A61000-0x0000000075A63000-memory.dmp

memory/1228-75-0x0000000005C30000-0x0000000005CEA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-16 09:44

Reported

2022-06-16 09:50

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

162s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\cmstp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CPXHR = "C:\\Program Files (x86)\\Lifm4\\igfxgxd0dxl.exe" C:\Windows\SysWOW64\cmstp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1672 set thread context of 3736 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3736 set thread context of 2040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Explorer.EXE
PID 3960 set thread context of 2040 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Lifm4\igfxgxd0dxl.exe C:\Windows\SysWOW64\cmstp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\cmstp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmstp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2040 wrote to memory of 3960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 2040 wrote to memory of 3960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 2040 wrote to memory of 3960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 3960 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\cmstp.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\cmstp.exe

"C:\Windows\SysWOW64\cmstp.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

Network

Country Destination Domain Proto
NL 88.221.144.179:80 tcp
NL 88.221.144.179:80 tcp
US 13.89.178.26:443 tcp
US 8.8.8.8:53 www.thedentalmethoddallas.com udp
US 8.8.8.8:53 www.lifeonloan.com udp
US 8.8.8.8:53 www.humblebullykennelsstore.com udp
US 8.8.8.8:53 www.4v5z41.xyz udp
US 54.166.223.180:80 www.4v5z41.xyz tcp
US 8.8.8.8:53 www.kekenapeps.com udp
US 69.57.161.210:80 www.kekenapeps.com tcp

Files

memory/1672-130-0x00000000005B0000-0x00000000005EC000-memory.dmp

memory/3736-131-0x0000000000000000-mapping.dmp

memory/3736-132-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3736-133-0x0000000001170000-0x00000000014BA000-memory.dmp

memory/3736-135-0x0000000001140000-0x0000000001151000-memory.dmp

memory/2040-136-0x00000000080B0000-0x00000000081BD000-memory.dmp

memory/3960-137-0x0000000000000000-mapping.dmp

memory/3736-138-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4804-139-0x0000000000000000-mapping.dmp

memory/3960-140-0x0000000000220000-0x0000000000236000-memory.dmp

memory/3960-141-0x0000000000E00000-0x0000000000E2B000-memory.dmp

memory/3960-142-0x0000000002DE0000-0x000000000312A000-memory.dmp

memory/3960-143-0x0000000002B80000-0x0000000002C10000-memory.dmp

memory/2040-144-0x00000000029C0000-0x0000000002A7D000-memory.dmp

memory/3960-145-0x0000000000E00000-0x0000000000E2B000-memory.dmp

memory/2040-146-0x00000000029C0000-0x0000000002A7D000-memory.dmp

memory/4008-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4